January 2011
Privacy and Data Access in a World of Online Computing: A Call To Action
Executive Summary
A new generation of technologies is transforming the world of computing. The traditional model of
computing—with software running on a user’s own PC or a business’s on-site computers—is increasingly
being augmented by computing delivered as a service over the Internet to consumers, enterprises and
government users alike. Often called “cloud” computing, this model of computing gives all users greater
choice and flexibility while driving significant efficiency gains, lowering IT costs, and creating incentives
and online platforms for innovation. Cloud computing technologies, like earlier advances in IT, hold
great promise for spurring economic development and job growth.
However, the future of cloud computing is being threatened by a growing thicket of inconsistent legal
requirements. National governments are imposing conflicting legal obligations and asserting competing
claims of jurisdiction over user content and data held by online computing service providers. Divergent
rules on data privacy, data retention, law enforcement access to user data, censorship, national security,
and other issues are placing providers in an impossible, Catch-22 position, with several companies facing
protracted legal battles and substantial fines in foreign courts and threats of imprisonment for their
employees. This global legal quagmire jeopardizes long-term investment and innovation in cloud
computing. If companies are forced to store data locally to mitigate these jurisdictional conflicts, the
costs for investment and innovation in cloud computing will increase, many of the efficiency and
performance gains of cloud computing may be lost, and the benefits to users will be reduced.
Consumers and governments also have important interests at stake. Consumers, like businesses, have a
fundamental interest in knowing that their online data is subject to consistent, predictable privacy
protections. As consumers move their information from desktops to their phones or PDAs and into the
cloud, they want to know that it will be safe and protected. Consumer confidence in the security and
privacy of online computing will not exist, however, without clear and consistent rules governing who
may access the data and under what circumstances.
For their part, governments have interests in realizing the efficiencies and economic benefits that online
computing offers while also advancing the safety of the online environment and protecting government
and private-sector networks and assets. Safeguarding these interests in the emerging online computing
world presents significant challenges. In particular, governments must be able to support the
development and use of online computing while protecting the privacy and security of their citizens’
data. At the same time, governments also must grapple with the dynamic threats that the online
computing environment can present. The fact that these threats arise in an interconnected
environment—one in which there is a simultaneous diffusion and instant connection of data, a greater
ability for criminals to obscure their identities, and uncertainty over the application of traditional
notions of jurisdiction—can greatly complicate governments’ ability to lawfully access data for
legitimate law enforcement and national security purposes. These complications are amplified by
countries’ divergent legal rules, which make it more difficult for providers to respond quickly even to
government demands that are clearly legitimate.
Industry has been working hard to address these problems, and Microsoft has called for even greater
transparency around privacy and security in order to enhance users’ confidence in cloud computing. At
the same time, we recognize that industry cannot solve the problems alone, and we likewise have called
for responsible government action. In particular, it is essential that governments around the world step
in to harmonize existing rules and provide clear guidance on lawful government access to user data.
Globally consistent rules are vital to realizing the many benefits of cloud computing.
____________________________________________________________________________________
I.
The Shift to Online Computing and Its Benefits
Over the past several years, the Internet has radically redefined the way we communicate, access
content, and share information. Recent innovations in computing, however, combined with massive
investments in fundamental computing architectures and broadband networks, are ushering in a new
era of “online” or “cloud” computing.
Online computing allows users to access IT applications and computing resources over the Internet. This
gives users greater choice and flexibility by enabling them to combine the power and reliability of
software running on their own PC or other device with the ease and efficiency of computing delivered as
a service. While consumers have used online computing for years—through services such as online
email, blogging, social networking, and many others—businesses today are also turning to cloud
computing to augment their existing IT systems. Many enterprises use online services for business
processes such as customer relationship management, video conferencing, and website management,
and are likely to rely on cloud computing for a far greater range of services in the future.
The benefits for users of these new computing technologies include:

Greater efficiencies for organizations to customize and rapidly scale their IT systems for their
particular needs. With cloud computing, users pay only for the services they need, and they can
add or reduce computing capacity nearly instantaneously. For example, Domino’s Pizza receives 50
percent more orders on Super Bowl Sunday than it does at its next busiest time, a typical Friday
night. Rather than buy additional IT hardware to handle its Super Bowl demands—capacity which
would go unused the rest of the year—Domino’s Pizza turned to the cloud to handle its excess IT
needs for that day.

Better collaboration through “anytime, anywhere” access. Because cloud applications and data are
stored remotely, cloud users can share data from any location and any device that has an Internet
connection. In the London Borough of Lewisham, residents report graffiti or illegal dumping by
taking a photo on their mobile phone, then submitting the photo via a mobile application, text
message, or website. The web portal also allows residents to search for all reports in their
neighborhood and to see whether the problems have been addressed. The amount of graffiti has
dropped since the online reporting tool was launched, and the response time for handling
complaints has improved by 87 percent.

New opportunities for innovation as developers move to the new online computing paradigm. By
improving access to computing resources and reducing cost, cloud technologies lower barriers to
entry. This helps developers create new applications and helps entrepreneurs launch small
businesses. Software startup Sharpcloud uses common social-networking tools to create dynamic,
collaborative strategy roadmaps. Hosting its solution in the cloud allowed Sharpcloud to devote its
financial resources to developing a compelling service instead of buying and managing a server farm.
2
In partnership with Fujitsu, Sharpcloud’s strategy roadmaps have helped reduce project planning
time by 75 percent.
Like earlier advances in technology, cloud computing can spur economic growth and job creation by
helping businesses become more agile and their workers more productive. Cloud services could add
more than $166 billion in net new business revenues to the U.S. economy between 2010 and 2013.
Another estimate indicates that cloud computing could create between 300,000 and 1.5 million new
jobs in Europe in the next five years.
Cloud computing also has the potential to address pressing social challenges. In healthcare, for
example, cloud technologies have already helped the Cleveland Clinic improve the quality of care.
Patients with chronic health conditions, such as diabetes and heart disease, upload data from “at-home”
medical devices to personal health records accessible by doctors at the Cleveland Clinic. Because
physicians had more information about their patients’ vital signs and activity levels, they were better
positioned to advise patients about when to come in for an office visit. Timely office visits not only
create efficiency but also help avert medical emergencies.
On the environmental front, a cloud-based energy management service being developed by Microsoft
and Ford Motor Company will help owners of electrical vehicles save money by identifying the optimum
“off peak” times for charging their cars. The same service will also help utility companies determine
how to adjust the power grid to handle the increased demand. More efficient use of energy reduces
costs and allows all of us to meet our responsibilities to the environment.
Cloud computing will create similar benefits in education, workforce training, public safety, and other
areas. In education, for example, by tapping into applications and services offered through the cloud,
libraries and community centers in underserved communities will be able to access computer power and
information that today is financially or geographically out of reach. Cloud computing will also offer
school administrations the same cost savings, agility, choice, and access to cutting-edge computing that
are available to other organizations. This will open new opportunities for schools to expand the quality
and accessibility of education, particularly in remote and underserved communities.
To achieve these benefits, however, cloud computing providers must be able to operate datacenters in
multiple locations and to transfer data freely among them. This is necessary for several reasons:

Reliability. Enterprises will adopt online computing services only if they are extremely reliable.
To provide this reliability, providers need to be able to replicate data and applications across
multiple locations. Thus, in the event of a natural disaster or datacenter failure in one location,
customers’ applications and data will still be available from a different location.

Efficiency. To maximize efficiency, online computing providers need to be able to transfer
workloads and data in real time based on needs and available resources. For instance, during
the workday in one part of the world, providers must have the ability to shift computing
demand to datacenters where it is night (and where the local need for computing is less). The
ability to shift data and applications continually among datacenters is also necessary to avoid
under-utilization of datacenters, which can significantly drive up overall energy consumption.

Performance. Everyone has experienced the frustration of using an online service that is slow
or otherwise experiences delays. Although these delays can have many causes—such as
network congestion or slow servers—delays may also result from the fact that the service is
3
being provided from a datacenter that is located far away—a condition also known as latency.
The ability to locate datacenters in multiple locations and transfer data between them allows
providers to respond instantaneously to fluctuations in demand and thereby to reduce latency
and improve performance.
At the same time, to promote trust in cloud computing, providers also must be able to assure their
customers that their data will be kept private and secure. Data that cloud computing providers collect,
store, and process on behalf of their customers may be personal, confidential, or otherwise sensitive.
For consumers, this might include personal emails, photos, or videos, blog postings, or information
about their web surfing activities. For businesses, this might include documents or communications that
reveal trade secrets, competitively valuable information, and key assets (e.g., price lists, customer
contacts, business plans, etc.), while for governments this data might include personal information
collected from citizens (e.g., tax records), employee information and communications, or other
information that has been entrusted to government. Providers also may collect data such as a name
and address, billing and account information, and other personal data when a customer signs up for
service and, to manage services effectively and securely, often collect IP addresses, account activity, and
similar data. Ensuring the privacy and security of this information is paramount if cloud computing is to
reach its true potential.
II.
Conflicting Legal Rules Threaten the Growth of Online Computing
The ability of providers to live up to these user expectations regarding the privacy and security of their
information is critical, not only for the future of cloud computing, but also to protect fundamental rights
of privacy.
As providers process and store greater amounts of user data, however, they face a growing dilemma.
Governments, confronted with the challenge of online crime and the use of the Internet in connection
with threats to public safety or national security (e.g., cyber attacks or terrorist plots), increasingly are
focused on obtaining access to user content and other data held by these providers. Multiple
jurisdictions may have interest in a single matter, each seeking access to user information. There are,
however, no universally agreed upon rules governing such access by law enforcement. The result is that
service providers are increasingly subject to divergent rules and competing assertions of jurisdiction
over user content and data. While these rules take many forms, conflicts between them are being felt in
two distinct ways:

Conflicting claims of jurisdiction. Law enforcement in different countries often follow different
rules on the conditions under which they will assert jurisdiction over user data. Some regimes
determine that jurisdiction exists only if the data is physically stored in the country, while others
assert jurisdiction so long as the service in question is offered there or if the user to whom the data
relates resides there. Still others assert jurisdiction so long as the service provider has a place of
business in-country, regardless of where the data is located. Each jurisdiction also has its legal
standards and process for lawful access demands by law enforcement. Complying with a lawful
demand for user data in one jurisdiction may place a provider at risk of violating the privacy or other
laws of the jurisdiction where the data actually sits. Also, this global thicket of conflicting rules
makes it extremely difficult for providers to give their customers accurate and adequate notice of
the conditions under which their data might be accessed by law enforcement.
4

Inconsistent legal obligations. Differences in national rules on such issues as data privacy, data
retention, and law enforcement access also create conflicts among substantive legal obligations. For
instance, the disclosure of data to one government in response to a demand that is lawful under
that country’s rules may violate the privacy rules of another jurisdiction. Compliance with the data
retention rules of one country may be considered too long in another country and too short in a
third. Indeed, given the absence of a broad agreement among countries on data retention and data
access, it is plausible that a country could mandate the deletion of data about its own citizens stored
in another country, even though that country’s laws either permit or require that the data be
retained for a longer period. Another example arises in connection with so-called “blocking
statutes,” which impose civil or even criminal liability on a company if that company complies with
warrants, subpoenas, or court orders issued by a second country for access to data. If a company in
one country is served with a subpoena for user data located in a second country that has a blocking
statute, the company could be forced to choose between refusing to comply with the first country’s
subpoena (and potentially being held in contempt of court in that country) or violating the second
country’s blocking statute (and potentially facing penalties in that jurisdiction).
Many governments have attempted to establish procedures to avoid such conflicts, but the mechanisms
for doing so have not been successful in practice. In particular, it is not uncommon for a country to have
a number of bilateral Mutual Legal Assistance Treaties (MLATs) with other countries. MLATs are
intended to provide a government-to-government mechanism for obtaining access to data held in a
foreign country. The international judicial process of “letters rogatory” can serve the same function in
criminal cases where no MLAT exists, and in civil cases. These procedures, however, almost always are
too cumbersome and slow to be useful in fast-moving criminal investigations or other settings. This is
particularly true in the context of online crime, in which threats evolve quickly and the conduct and
evidence at issue can easily traverse multiple jurisdictions. Also, although nearly four dozen countries
have ratified and/or signed the Council of Europe’s Convention on Cybercrime, which seeks to expedite
the sharing of evidence on computer crimes, the Convention does not provide a mechanism for
resolving competing claims of jurisdiction over data or differences in substantive legal rules.
As a result, law enforcement in certain countries have begun to ignore these established procedures and
simply demand that local employers disclose data regardless of where it is located or to which
jurisdiction the relevant service is provided—demands that often are backed up by threats of fines or
even imprisonment. This places online computing providers in an untenable position. If they refuse to
disclose data stored abroad, they face punishment from local law enforcement. If they agree to disclose
the data, they face the risk not only of a significant loss of customer trust, but also the potential of
liability under the privacy regime or related laws of the jurisdiction where the data is stored. This Catch22 also can have unintended effects for governments with respect to their ability to access information
for law enforcement purposes. Specifically, service providers that are caught in the no-win situation
may be slower in responding to governments’ requests for access to data as they grapple with what to
do and how to strike the right compromise, however unlikely such a compromise may be.
There have been several examples of the serious threats these competing and, at times, conflicting
requirements can pose to service providers and the user data they possess:

Brazil. A Brazilian court demanded that Google turn over information related to users of its social
networking site, despite the fact that the information was stored in the United States. Google
reportedly insisted initially that the Brazilian government go through the U.S. judicial system to
5
obtain the data but nevertheless was ordered to disclose the data to Brazilian authorities or pay a
daily fine of $23,000 for noncompliance.

Italy. Italy imposes a 12-month data retention obligation on online service providers, while some
other countries, including some European countries, require that data be retained for a shorter
period of time. Some Italian prosecutors have interpreted Italy’s data retention law to apply to data
held by U.S. providers even if they do not store data in Italy. In fact, prosecutors have threatened
criminal proceedings to enforce compliance with their views.

India. Citing national security concerns, India pressured Research in Motion to set up servers in
India and to give government authorities the ability to monitor encrypted user
communications. The Indian government also claimed to have made similar demands of other
communication services, including Google and Skype. Although RIM maintains that the geographic
location of a server has no bearing on a government's ability to crack encrypted data, Indian experts
say that placing a server in India allows the government to access user content more easily, using
Indian laws, instead of waiting for the cooperation of a foreign company or government agency.
To encourage continued investment in cloud computing services, there must be greater clarity and
consistency on rules that will protect the privacy and security of user data while also ensuring legitimate
law enforcement needs are addressed.
III.
Industry Efforts to Cope With These Problems
Online computing providers have taken several steps to seek to resolve these dilemmas, or at least
lessen their impact. For example, when responding to a government demand to block content deemed
illegal in that country, Microsoft will, to the extent technically possible, block access only in the country
issuing the order while continuing to provide access to users in other countries. The company also
informs local users that access to the content was blocked due to a government demand. Other online
computing providers have taken similar steps. Google, for example, has a policy of blocking YouTube
videos that are clearly illegal in a particular country only to users in that country, but will continue to
allow users located elsewhere to access such videos.
Online computing providers also are investing considerable resources to ensure that their physical
operations and corporate structure minimize the problems posed by conflicting legal rules—often at the
expense of the efficiencies and other benefits cloud computing can provide. But these efforts cannot
entirely solve the problem—for both business and technical reasons, it simply is impractical to locate
servers in every jurisdiction or to strictly segregate data in multiple locations based on the presumed
location of users.
The leading private-sector effort in this area to date is the Global Network Initiative (GNI), which was
announced in late 2008 by a coalition of companies, investors, and human rights organizations. The GNI
promulgated voluntary guidelines for companies to follow in determining how to respond to
government demands for censorship or access to user data. Under these guidelines, participants in the
GNI—which include many of the leading global service providers—have agreed to require that
governments follow established domestic legal process, and to interpret government restrictions,
demands for user data, and jurisdictional claims narrowly so as to minimize the negative effects of such
demands on user-generated content.
6
Despite these important steps, the private sector alone cannot resolve these problems. Companies that
are physically present and operating in a jurisdiction have a legal obligation and practical imperative to
comply with local law and to accede to local law enforcement demands for user data. Their refusal to
do so can imperil their businesses and jeopardize the safety of their employees. These problems will
only grow as cloud computing becomes more popular. Failure to resolve these looming issues will pose
a serious crisis for industry, consumers, and governments alike, and risk the future expansion of the
Internet and the vast potential for innovation that is presented by the next generation of computing.
IV.
The Need for Government Leadership – A Call to Action
While industry must play its part, any long-term solution to the problem of conflicting jurisdictional
claims and inconsistent legal obligations ultimately requires leadership from governments. Delivering
clarity in this area undoubtedly poses challenges, but it also presents opportunities, since governments
that take the lead in resolving these issues are likely to have a significant advantage in promoting the
growth of online computing in their jurisdictions—and reaping the benefits these technologies offer for
job creation, productivity, and economic growth. There are several options worth exploring in this
regard:

A new multilateral framework. One ambitious, but also perhaps most effective, avenue for a
solution would be for governments to seek a multilateral framework on these issues in the form of a
treaty or similar international instrument. This could include updating an existing treaty (such as the
Convention on Cybercrime) or drafting a new one. While this option would undoubtedly require
significant diplomatic leadership and resources, it offers perhaps the best hope of addressing
legitimate government needs in a coherent fashion while ensuring that business and consumer
interests in privacy and freedom of expression are adequately met on a global scale. To initiate this
process, an entity such as the G8 or G20 could take up the issue, then ask the OECD, APEC, or a
similar multilateral organization to research the problems and make recommendations for how to
resolve them.

More active bilateral consultations. A less formal option would be for countries to engage
independently in consultations and consensus building on procedures for resolving data access and
censorship issues in ways that avoid conflicts. Even bilateral discussions on these issues will increase
awareness of the problems created by conflicting claims of jurisdiction and pave the way for a
longer-term, more formal solution. The law enforcement and diplomatic community in the United
States, EU member states, the Commonwealth countries, and other leading nations could lead such
consultations by: (1) engaging with their counterparts in other governments to resolve ongoing
issues where laws appear to conflict, with an aim toward creating a lasting solution to systemic
issues; and/or (2) signaling to industry a willingness to engage in government-to-government dialog
on a case-by-case basis when a company finds itself facing conflicting legal obligations.

Enhanced MLATs. Another option would be for individual governments to press for enhanced
MLATs with their MLAT partners. Specifically, MLAT signatories could seek to improve the speed
and effectiveness of assistance between them. While it is an open question whether this option
could provide a permanent solution to these issues, if such enhanced MLATs were pursued by the
United States, EU member states, the Commonwealth countries, and other leading nations, they
would at a minimum provide a vehicle for these governments to address the challenges facing
service providers in their respective countries.
7
To further advance consideration of such options, Microsoft has called for legislation in the United
States that would direct the U.S. Secretary of State to engage in efforts in the OECD and other fora to
promote consistency in laws regulating data privacy, security, and retention, as well as assertions of
jurisdiction over data by law enforcement and others.
Whatever option governments take, it is essential that these deliberations include not only
representatives from law enforcement and the justice system, but also representatives of industry,
consumer groups, and other interested stakeholders. Cloud computing will only reach its full potential if
providers can establish datacenters and offer services in multiple jurisdictions, without fear that each
step will invite competing claims of jurisdiction and government access to data. The rules must balance
the legitimate needs of law enforcement, industry, and users, and it is vital that all stakeholders are
represented in any deliberations.
V.
Conclusion
With the growth in online computing, increasing amounts of user data are being processed and
transferred across national borders. To take full advantage of online computing, users must be given
reliable assurances regarding the privacy and security of their online data, while providers of online
computing must be able to offer such assurances without fear of conflicting legal obligations. It is vital
that governments around the world engage on this issue and work with industry to adopt harmonized,
coordinated rules for access to, and the protection of, online data.
For more information please contact publicpolicy@microsoft.com or visit
www.microsoft.com/publicpolicy.
8